Ensure S3 Object Copy is encrypted by KMS using a customer managed Key (CMK)

Error: AWS S3 Object Copy not encrypted using Customer Managed Key
Bridgecrew Policy ID: BC_AWS_GENERAL_101
Checkov Check ID: CKV_AWS_181
Severity: LOW

AWS S3 Object Copy not encrypted using Customer Managed Key

Description

This is a simple check to ensure that the S3 Object Copy is using AWS key management - KMS to encrypt its contents. To resolve add the ARN of your KMS or link on creation of the cluster.

Fix - Buildtime

Terraform

  • Resource: aws_s3_object_copy
  • Attribute: kms_key_id - (Optional) Specifies the AWS KMS Key ARN to use for object encryption. This value is a fully qualified ARN of the KMS Key.
resource "aws_s3_object_copy" "test" {
  bucket = "destination_bucket"
  key    = "destination_key"
  source = "source_bucket/source_key"
+ kms_key_id = "aws_kms_key.foo.arn"


  grant {
    uri         = "http://acs.amazonaws.com/groups/global/AllUsers"
    type        = "Group"
    permissions = ["READ"]
  }
}